In this talk, Noam and Keith describe the prior architecture for Adobe’s Document Cloud web application, some secure-by-default services and frameworks Adobe has developed that can be leveraged by the rest of the organization, and the new architecture they’ve moved to and its associated hardening steps and security best practices.
Building Reusable Security Controls
The biggest, most important takeaway from this talk is the value in investing in robust, secure by default services and infrastructure that can be used across an organization. This lets you solve a problem domain once, well, and then reap those security wins everywhere.
One Standard to Rule Them All
One particular aspect of this I found especially interesting is that they evaluated over 10 different standards (e.g. SOC, FedRAMP, ISO 27001, HITRUST) with around ~1,350 control requirements, and distilled that down to ~290 common controls across 20 control domains.
Holy cow, that is a lot of work! But once you do it, you know that if you follow these controls you can (relatively) easily be compliant to a vast number of relevant standards. Pretty smart 👍
Security Control Examples
The talk then gives several example of security controls, including an Identity Management Service based on OAuth 2.0, a shared cloud platform for storing data, and CI/CD infrastructure.
Ethos is a standardized container-based way that Adobe teams can do CI/CD. It’s compliant to their Common Control Framework, has centralized, hardened base containers, supports multiple environments (e.g. dev, stage, and production), and will later support Kubernetes for container orchestration.
The rest of the talk walks through various aspects of their new architecture.
They cover their CDN, securing the NGINX proxy server, protecting AWS S3 buckets, using React, Adobe.io gateway authentication and service token signing, and more.
One part I found interesting is how NGINX is used in several ways to enhance
security, including adding a strong
Content-Security-Policy and several
security-focused headers, like
X-Frame-Options 'SAMEORIGIN', etc., as well as what’s listed below.
This idea of using a proxy to add security properties is also discussed in Hongyi Hu’s excellent AppSec Cali 2019 talk, The Call is Coming From Inside the House: Lessons in Securing Internal Apps, which I highly recommend.